Nessus network auditing

TLFeBOOK

[email protected]

Over the last few years, Syngress has published many best-selling and

critically acclaimed books, including Tom Shinder’s Configuring ISA

Server 2000, Brian Caswell and Jay Beale’s Snort 2.0 Intrusion

Detection, and Angela Orebaugh and Gilbert Ramirez’s Ethereal

Packet Sniffing. One of the reasons for the success of these books has

been our unique [email protected] program. Through this

site, we’ve been able to provide readers a real time extension to the

printed book.

As a registered owner of this book, you will qualify for free access to

our members-only [email protected] program. Once you have

registered, you will enjoy several benefits, including:

■ Four downloadable e-booklets on topics related to the book.

Each booklet is approximately 20-30 pages in Adobe PDF

format. They have been selected by our editors from other

best-selling Syngress books as providing topic coverage that

is directly related to the coverage in this book.

■ A comprehensive FAQ page that consolidates all of the key

points of this book into an easy to search web page, pro￾viding you with the concise, easy to access data you need to

perform your job.

■ A “From the Author” Forum that allows the authors of this

book to post timely updates links to related sites, or addi￾tional topic coverage that may have been requested by

readers.

Just visit us at www.syngress.com/solutions and follow the simple

registration process. You will need to have this book with you when

you register.

Thank you for giving us the opportunity to serve your needs. And be

sure to let us know if there is anything else we can do to make your

job easier.

Register for Free Membership to

285_NSS_FM.qxd 9/13/04 1:58 PM Page i

TLFeBOOK

285_NSS_FM.qxd 9/13/04 1:58 PM Page ii

TLFeBOOK

Renaud Deraison

Haroon Meer

Roelof Temmingh

Charl van der Walt

Raven Alder

Jimmy Alderson

Andy Johnston

George A. Theall

Jay Beale Series Editor

HD Moore Technical Editor

Noam Rathaus Technical Editor

Nessus

Network Auditing

285_NSS_FM.qxd 9/13/04 1:59 PM Page iii

TLFeBOOK

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc￾tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be

obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is

sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to

state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other

incidental or consequential damages arising out from the Work or its contents. Because some states do not

allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation

may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working

with computers, networks, data, and files.

Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author

UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The

Definition of a Serious Security Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is

to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned

in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

001 HV764GHVB7

002 POFGBN329M

003 HJWWQV734M

004 CVPLQ6CC73

005 239KMWH5T2

006 VBP95BNBBB

007 H863EBN643

008 29MKVB5487

009 69874FRVFG

010 BNWQ6233BH

PUBLISHED BY

Syngress Publishing, Inc.

800 Hingham Street

Rockland, MA 02370

Nessus Network Auditing

Copyright © 2004 by Syngress Publishing, Inc.All rights reserved. Printed in the United States of

America. Except as permitted under the Copyright Act of 1976, no part of this publication may be repro￾duced or distributed in any form or by any means, or stored in a database or retrieval system, without the

prior written permission of the publisher, with the exception that the program listings may be entered,

stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-931836-08-6

Publisher:Andrew Williams Page Layout and Art: Patricia Lupien

Acquisitions Editor: Christine Kloiber Copy Editor: Beth Roberts

Technical Editor: Jay Beale, HD Moore, Indexer: Nara Wood

and Noam Rathaus Cover Designer: Michael Kavish

Distributed by O’Reilly Media, Inc. in the United States and Canada.

For information on rights and translations, contact Matt Pedersen, Director of Sales and Rights, at

Syngress Publishing; email [email protected] or fax to 781-681-3585.

285_NSS_FM.qxd 9/13/04 1:59 PM Page iv

TLFeBOOK

Acknowledgments

v

We would like to acknowledge the following people for their kindness and support in

making this book possible.

Syngress books are now distributed in the United States and Canada by O’Reilly

Media, Inc.The enthusiasm and work ethic at O’Reilly is incredible and we would

like to thank everyone there for their time and efforts to bring Syngress books to

market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko,

Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark

Wilson, Rick Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle Hart, Sara Winge,

C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina Aggio, Pascal Honscher,

Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark

Jacobsen, Betsy Waliszewski, Dawn Mann, Kathryn Barrett, John Chodacki, and Rob

Bullington.

The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, Ian

Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother,

Miguel Sanchez, Klaus Beran, Emma Wyatt, Rosie Moss, Chris Hossack, Mark Hunt,

and Krista Leppiko, for making certain that our vision remains worldwide in scope.

David Buckland, Marie Chieng, Lucy Chong, Leslie Lim,Audrey Gan, Pang Ai Hua,

and Joseph Chan of STP Distributors for the enthusiasm with which they receive our

books.

Kwon Sung June at Acorn Publishing for his support.

David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen

O’Donoghue, Bec Lowe, and Mark Langley of Woodslane for distributing our books

throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands,

and the Cook Islands.

Winston Lim of Global Publishing for his help and support with distribution of Syngress

books in the Philippines.

285_NSS_FM.qxd 9/13/04 1:59 PM Page v

TLFeBOOK

285_NSS_FM.qxd 9/13/04 1:59 PM Page vi

TLFeBOOK

Series Editor, Technical Editor

Jay Beale is a security specialist focused on host lockdown and

security audits. He is the lead developer of the Bastille project,

which creates a hardening script for Linux, HP-UX, and Mac OS

X; a member of the Honeynet Project; and the Linux technical lead

in the Center for Internet Security.A frequent conference speaker

and trainer, Jay speaks and trains at the Black Hat and LinuxWorld

conferences, among others. Jay is a senior research scientist with the

George Washington University Cyber Security Policy and Research

Institute and makes his living as a security consultant through the

MD-based firm Intelguardians, LLC, where he works on security

architecture reviews, threat mitigation, and penetration tests against

Unix and Windows targets.

Jay wrote the Center for Internet Security’s Unix host security

tool, currently in use worldwide by organizations from the Fortune

500 to the Department of Defense. He leads the Center’s Linux

Security benchmark team and, as a core participant in the non￾profit Center’s Unix teams, is working with private enterprises and

US agencies to develop Unix security standards for industry and

government.

Jay has written a number of articles and book chapters on oper￾ating system security. He is a columnist for Information Security

Magazine and previously wrote a number of articles for

SecurityPortal.com and SecurityFocus.com. He co-authored the

Syngress international best-seller Snort 2.0 Intrusion Detection (ISBN:

1-931836-74-4) and serves as the series and technical editor of the

Syngress Open Source Security series, which includes Snort 2.1

Intrusion Detection, Second Edition (ISBN 1-931836-04-3) and Ethereal

Packet Sniffing (ISBN 1-932266-82-8). Jay’s long-term writing goals

include finishing a Linux hardening book focused on Bastille called,

Locking Down Linux. Formerly, Jay served as the Security Team

Director for MandrakeSoft, helping set company strategy, design

security products, and pushing security into the third largest retail

Linux distribution.

vii

285_NSS_FM.qxd 9/13/04 1:59 PM Page vii

TLFeBOOK

viii

HD Moore is one of the founding members of Digital Defense, a

security firm that was created in 1999 to provide network risk

assessment services. In the last four years, Digital Defense has

become one of the leading security service providers for the finan￾cial industry, with over 200 clients across 43 states. Service offerings

range from automated vulnerability assessments to customized secu￾rity consulting and penetration testing. HD developed and maintains

the assessment engine, performs application code reviews, develops

exploits, and conducts vulnerability research.

Noam Rathaus is the co-founder and CTO of Beyond Security, a

company specializing in the development of enterprise-wide secu￾rity assessment technologies, vulnerability assessment-based SOCs

(security operation centers) and related products. He holds an elec￾trical engineering degree from Ben Gurion University, and has been

checking the security of computer systems from the age of 13.

Noam is also the editor-in-chief of SecuriTeam.com, one of the

largest vulnerability databases and security portals on the Internet.

He has contributed to several security-related open-source projects

including an active role in the Nessus security scanner project. He

has written over 150 security tests to the open source tool’s vulnera￾bility database, and also developed the first Nessus client for the

Windows operating system. Noam is apparently on the hit list of

several software giants after being responsible for uncovering secu￾rity holes in products by vendors such as Microsoft, Macromedia,

Trend Micro, and Palm.This keeps him on the run using his Nacra

Catamaran, capable of speeds exceeding 14 knots for a quick get￾away. He would like to dedicate his contribution to the memory of

Haim Finkel.

Technical Editors and Contributors

285_NSS_FM.qxd 9/13/04 1:59 PM Page viii

TLFeBOOK

ix

Renaud Deraison is the Founder and the primary author of the

open-source Nessus vulnerability scanner project. He has worked

for SolSoft, and founded his own computing security consulting

company, Nessus Consulting. Nessus has won numerous awards,

most notably, is the 2002 Network Computing ‘Well Connected’

award. Mr. Deraison also is an editorial board member of Common

Vulnerabilities and Exposures Organization. He has presented at a

variety of security conferences including the Black Hat Briefings

and CanSecWest.

Raven Alder is a Senior Security Engineer for True North

Solutions, a consulting firm specializing in network security design

and implementation. She specializes in scalable enterprise-level secu￾rity, with an emphasis on defense in depth. She designs large-scale

firewall and IDS systems, and then performs vulnerability assess￾ments and penetration tests to make sure they are performing opti￾mally. In her copious spare time, she teaches network security for

LinuxChix.org and checks cryptographic vulnerabilities for the

Open Source Vulnerability Database. Raven lives in the Washington,

DC area.

Jimmy Alderson is the Technical Product Manager at Atlanta￾based GuardedNet, a leader in Security Information Management, as

well as a Founding member of DC-based firm Intelguardians

Network Intelligence. He is a member of the CVE Editorial board

and a founding member of the Behavioral Computational

Neuroscience Group which specializes in applications of stratifica￾tion theory. Jimmy was the author of the first Security Information

Management system as well as the original pioneer on the use of

Taps for performing intrusion detection on switched networks. He

has been an active member of the security community since 1992

Contributors

285_NSS_FM.qxd 9/13/04 1:59 PM Page ix

TLFeBOOK

x

specializing in vulnerability assessments, penetration tests, intrusion

detection, architecture design/review, policy compliance and

product design.As a manager, consultant, trainer, coder, and busi￾nessman, Jimmy lives a nomadic life from one area of expertise to

another, as well as one geographic area to the next. Jimmy currently

resides in Atlanta, GA where he spends most of the summer months

indoors.

Andy Johnston co-author of Unix Unleashed v4, supports IT secu￾rity at the University of Maryland, Baltimore County (UMBC). He

specializes in intrusion detection, incident response, and computer

Forensics.Andy’s background includes twelve years with Computer

Sciences Corporation, primarily on NASA contracts. He has been

active in local SAGE groups and has presented at SANS conferences.

Andy holds a bachelor’s degree in biology from Princeton

University and a master’s degree in math from UMBC. He currently

resides in Baltimore.

Haroon Meer (B.Com [Info. Systems], CNA, CNE, MCSE, CISSP,

CCSA, CCSE) is the Director of Development at SensePost. He

completed his studies at the University of Natal with majors in

information systems, marketing, and information systems tech￾nology. He began working for the University’s Computer Services

Division during his first year of study and stayed on as a Systems

Consultant, specializing in inter-network connectivity and Internet

related systems. He joined SensePost in 2001 as part of the technical

team, where he spends most of his time in the development of addi￾tional security related tools and proof of concept code. He has

released several tools/papers on subject matters relating to Network

/ Web Application security and is a regular presenter at conferences

like Black Hat and DefCon.

Roelof Temmingh is the Technical Director and a founding

member of SensePost - a South African IT security assessment com￾pany.After completing his degree in electronic engineering he

285_NSS_FM.qxd 9/13/04 1:59 PM Page x

TLFeBOOK

worked for four years at a leading software engineering company

specializing in encryption devices and firewalls. In 2000 he started

SensePost along with some of the country’s leaders in IT security.

Roelof heads SensePost’s external security analysis team, and in his

“spare time” plays with interesting concepts such as footprint and

web application automation, worm propagation techniques, covert

channels/Trojans and cyber warfare. Roelof is a regular

speaker/trainer at international conferences including the Black Hat

Briefings, DefCon, RSA, FIRST and Summercon. Roelof gets his

kicks from innovative thoughts, tea, dreaming, lots of bandwidth,

learning cool new stuff, Camels, UNIX, fine food, 3am creativity,

and big screens. He dislikes conformists, papaya, suits, animal cruelty,

arrogance, track changes, and dishonest people or programs.

George A.Theall is a frequent contributor to the Nessus mailing

lists, is the author of several popular Nessus-related tools and has

also contributed rewrites of several of the supplemental scripts and

associated documentation in Nessus, to be distributed starting with

version 2.2. He has authored many Perl scripts including: update￾nessusrc, update-nessus-plugins, describe-nessus-plugin, and sd2nbe.

George has worked as a systems developer and systems administrator

for a major hospital in Philadelphia.

Charl van der Walt is a founder and director of SensePost

Information Security, a South Africa-based Infosec services company.

Having studied computer science in South Africa and then mathe￾matics in Germany, Charl started his career as a programmer, before

moving on to technical support and later to technical design of secu￾rity technologies like firewalls, VPNs, PKI and file encryption sys￾tems, and finally to security analysis, assessments, and penetration

testing.As a CISSP and BS7799 Lead Auditor, Charl’s combination of

technical and theoretical skills are applied to developing systems and

methodologies for understanding, evaluating and managing risk at all

levels of the enterprise. He regularly releases work on both technical

and theoretical issues and can often be see teaching or speaking at

academic institutions and security conferences like Black Hat and

DefCon. xi

285_NSS_FM.qxd 9/13/04 1:59 PM Page xi

TLFeBOOK

xii

Michel Arboi is a Computer Security Consultant in the Algoriel

ISO15408 evaluation laboratory. Over the course of his career,

Michel has had extensive experience writing software (in C, mostly

under UNIX), and is known for his work with Nessus. He has

written about a hundred test plugins, has implemented OpenSSL

support and wrote the second version of the Nessus Attack

Scripting Language (NASL) interpreter - the scripting language

designed specifically for Nessus. Michel received his Master’s Degree

in engineering from ENSTA, and is currently trying desperately to

decrypt several languages: English,Arabic, and Greek.

Ty Gast (CISSP) is a Senior Security Engineer at Betrusted, a pre￾mier global provider of security, identity and trust solutions to the

world’s leading organizations. With 11 years of experience, he spe￾cializes in many facets of information assurance, including security

assessments (network-based, wardialing, and wireless), secure net￾work architecture development, computer forensics analysis, and

managed security solutions. He was instrumental in constructing a

large-scale Dragon IDS monitoring system monitoring hundreds of

clients and thousands of devices, to include creating customized pro￾grams to handle alerts automatically without human intervention.

He has also designed and taught computing courses for the U.S.

Government.Ty currently resides in the Baltimore, MD area.

Appendix Contributors

285_NSS_FM.qxd 9/13/04 1:59 PM Page xii

TLFeBOOK

xiii

About the CD

The CD-ROM accompanying this book includes the successful open-source

tools: Snort, Ethereal and, of course, Nessus. Most files are included as a gzip￾compressed tar archive, but in some cases .zip compressed files for use on

Windows systems are included.Although the latest version of each piece of

software at the time of this writing was placed on the CD-ROM, it should be

noted that open source projects have active development cycles and so newer

software versions may have been released since publication.An excellent place

to find links to the latest releases of each piece of software is by checking each

tool’s homepage (i.e. www.snort.org and www.ethereal.com).

For Nessus, we’ve included two versions: version 2.0.10a, which is currently

the most stable version at the time of this writing for UNIX-compatible sys￾tems only; and version 2.1.1, the current development version also for UNIX￾compatible systems only.This version is in beta and may not be stable yet, but it

has the ability to perform local security checks in addition to remote tests. For

any updates or newer versions, please visit the www.nessus.org site.

We’ve also included NeWT v2.0, a stand-alone security scanner made avail￾able by Tenable Network Security. NeWT (Nessus Windows Technology) is a

native port of Nessus under Windows and is very easy to use and install. It runs

the same vulnerability checks as the Nessus vulnerability scanner and also sup￾ports custom NASL checks.

285_NSS_FM.qxd 9/13/04 1:59 PM Page xiii

TLFeBOOK

285_NSS_FM.qxd 9/13/04 1:59 PM Page xiv

TLFeBOOK